Merge pull request #348 from yogeshojha/fix/347/xss

Fixed XSS on #347
yogeshojha · Feb 23, 2021 · 2b4c39c · 2b4c39c
2 parents 2653217 + c1f80af
commit 2b4c39c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 6 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -10,4 +10,10 @@ Please report all security issues [here](https://github.com/yogeshojha/rengine/i
 
 ## Past Security Vulnerabilities
 
-* Reflected XSS on Detail Scan Page via Page Title Parameter, Reported by [omemishra](https://github.com/omemishra)
+* [Stored XSS](https://github.com/yogeshojha/rengine/issues/178) on Detail Scan Page via Page Title Parameter, Reported by [omemishra](https://github.com/omemishra)
+* [Stored XSS](https://github.com/yogeshojha/rengine/issues/347) on Vulnerability Scan page via URL Parameter, Reported by [Arif Khan, payloadartist](https://twitter.com/payloadartist)
+
+**reNgine thanks the following people for making a responsible disclosure and helping the community make reNgine more safer!**
+
+* [onemishra](https://github.com/omemishra)
+* [Arif Khan, payloadartist](https://twitter.com/payloadartist)
diff --git a/startScan/templates/startScan/detail_vuln_scan.html b/startScan/templates/startScan/detail_vuln_scan.html
@@ -164,21 +164,21 @@ <h5 class="text-danger">Vulnerability Scan Results</h5>
 			},
 			{
 				"render": function ( data, type, row ) {
-					return "<a href='"+data+"' target='_blank' class='text-danger'>"+data+"</a>";
+					return "<a href='"+htmlEncode(data)+"' target='_blank' class='text-danger'>"+htmlEncode(data)+"</a>";
 				},
 				"targets": 3,
 			},
 			{
 				"render": function ( data, type, row ) {
 					// Could be better
 					if (data && row['matcher_name']) {
-						return data + "\n" + row['matcher_name'];
+						return htmlEncode(data) + "\n" + row['matcher_name'];
 					}
 					else if (data) {
-						return data;
+						return htmlEncode(data);
 					}
 					else if (row['matcher_name']) {
-						return row['matcher_name'].charAt(0).toUpperCase() + row['matcher_name'].slice(1);
+						return htmlEncode(row['matcher_name']).charAt(0).toUpperCase() + htmlEncode(row['matcher_name']).slice(1);
 					}
 					else {
 						return "";
@@ -188,7 +188,7 @@ <h5 class="text-danger">Vulnerability Scan Results</h5>
 			},
 			{
 				"render": function ( data, type, row ) {
-					return data;
+					return htmlEncode(data);
 				},
 				"targets": 5,
 			},